Skip to content
Naked Security Naked Security

Employee surveillance – how far is too far?

Big Brother Bossman may be monitoring every key you tap, every post you make, every site you see

Not happy with your job? Been LinkedIn-ing it up on work time, on the company’s network and your work-issued PC? Have you sent out your résumé and titled the message something straightforward? Like, say, “résumé?” Or maybe you’re smarter than that, and you move risky conversations and you-are-toast-if-they-find-out keywords to an encrypted app, like WhatsApp?

Oh, dear.

Sombody should have filled you in: you see, workplace surveillance has grown up. It’s put on its big-boy pants. It’s evolved past eyeballing email and eavesdropping on phone calls: that’s so old school.

According to a report from The Guardian, the technology has gotten to the point of a “digital panopticon” that includes tracking where employees browse online and what they say in text messages, capturing screenshots, recording keystrokes, nosing around in social media posts, surveilling “private” (ha!) messaging apps like WhatsApp, and even inserting itself into face-to-face interactions between co-workers.

Employee surveillance isn’t exactly new. As Bloomberg reported last year, companies including JPMorgan Chase and Bank of America have explored systems that monitor workers’ very emotions, all in the name of boosting performance and compliance.

In February, Bloomberg BusinessWeek reported on goings-on at the Daily Telegraph, where employees discovered mysterious “OccupEye” black boxes beneath their desks, set up to track exactly when each desk was occupied.

Another company, Humanyze, has microphone-equipped smart badges that track employee movements, creating a heat map of office activity to help companies plan more effective office redesigns. The badges don’t track conversation content, but they do track how often employees talk to each other, as well as each employee’s proportion of talking to listening.

Combined with big data technologies, Humanyze promises a whole raft of additional applications, such as better predictions of when valued employees are planning to quit, so companies can intervene to keep them.

Which gets us back to the use of that trigger word, “résumé.”

As the Guardian reports, it’s common, if old-school, for employers to use keyword detection, keeping an eye out for lists of predefined terms including swear words and slang that give off an ominous odor. Yes, it’s common for employers to set up keyword detection, in spite of the approach throwing off a good deal of false positives and being pretty easy for employees to skirt… well, except when they don’t.

That’s what happened when an All State Insurance franchise conducted a live demonstration of a package of employee monitoring tools from Awareness Technologies under the brand Interguard. The technology worked quite well in the demo. Almost immediately after starting to scan the network, it hit on an email with the words “client list” and “résumé”, the Guardian reports:

The demonstrator opened the email in front of a room full of peers to discover his best employee was plotting to move to another company.

Well, ouch. Old-school, but still, ouch.

Some of the newer, more cutting-edge employee spy apps:

  • Look for subtle forms of trouble like “context switching”, such as an employee suggesting a discussion is moved to an encrypted app, like WhatsApp or Signal.
  • Are placed on employee’s devices (with their consent) so that conversations can be followed if they do switch to encrypted messaging.
  • Track how much somebody flips back and forth between apps to see if they’ve unproductive multitaskers with a Facebook habit.
  •  Screen social media posts for potentially problematic content like references to bigotry, misogyny, violence or drug and alcohol references.

Is all this intrusive as hell? Oh yes, though by and large, it’s legal in the US. California and Maine have slightly stricter laws protecting employee privacy, but for the most part, employers can track you without worrying too much that they’ll get into legal hot water – barring spying on employees via webcam. However, there is one product, WorkSmart, that snaps photos of workers every 10 minutes, combines the images with screenshots of their workstations, mixes it all up with recorded app use and keystrokes, and bakes up a “focus score” and an “intensity score” to gauge whether freelancers are worth their salt.

Where the legality (possibly) stops is when the boss starts monitoring – or even asking about – employees when they’re off the clock, according to the legal site The issue came up a few years ago when a former sales executive for the money transfer service Intermex sued her employer for firing her after she disabled a 24×7 monitoring app.

Nolo says that for public employers, both monitoring or merely inquiring about employees’ off-the-job life is largely off-limit.

As far as private sector companies go, some state constitutions, including California’s, prohibit employers from taking any job-related action against a worker based on whatever (legal) activity they do when they’re not working.

That’s not the same as forbidding monitoring of off-duty workers, though.

Of course, companies that handle money have a vested interest in keeping an eye on potential rip-off artists in their work force. As the Guardian notes, that’s why most surveillance tech providers focus their attention on the financial sector: that’s where companies are required, by law, to prevent insider trading by tracking staff communications.

One of the news outlet’s sources said his employer, a large consulting firm, was pondering whether it could look at employees’ Facebook pages to see if they could sniff out fraud. Say, if a trader changes their relationship status from married to divorced: would that put somebody under financial strain, leading them to fraud or theft?

It’s quite a leap, to assume that somebody whose marriage broke up is going to be turned into a thief and should be monitored, he said.

At any rate, don’t assume you’re free and clear if you don’t work at a stock brokerage or the like. These surveillance products are increasingly being sold to monitor employee productivity, data leaks, sexual harassment or other inappropriate behavior, the Guardian reports.

Many of us will balk at this surveillance state, particularly if we think of ourselves as knowledge workers. We don’t clock on and clock off at exactly the same time. There’s no production line that’s going to blow up if we aren’t standing on it at exactly the right time of day.

As knowledge workers, we’re always on the clock. We work on weekends. We read emails on our vacations and in the wee hours of the morning. Didn’t Silicon Valley already work this out? Don’t Google and the like tell employees to take time off whenever they need it? To go ahead and work from Starbucks if you want? Isn’t work about the outcome, as opposed to simply being busy?

“Do this to programmers and watch them leave,” Naked Security’s Mark Stockley says.

We can think that way if we’re knowledge workers, and if we’re lucky, our bosses will feel the same way.

Does that make it OK to stick cameras, heat and motion sensors, klaxons set to go off when they hit on keywords, and the like on the people we consider to be non-knowledge workers?

I’m thinking that factory workers, security guards, retail workers and the like would bristle at the notion just like anyone else.

No person is a collection of body parts, running in automatic mode, with their brain shut off and their knowledge put on a shelf.

But in a tough job market, and given a non-sympathetic legal landscape, what choice do workers really have?


I am confused by the part about eavesdropping into encrypted chat/messaging apps. To my knowledge, that should not be possible to an external party even if it is installed on the same device because it wouldn’t have access to the private keys. Could you elaborate?
On a side note, the below part is beautiful. I’d like to call myself a knowledge worker because knowledge is power.
‘As knowledge workers, we’re always on the clock. We work on weekends. We read emails on our vacations and in the wee hours of the morning. Didn’t Silicon Valley already work this out? Don’t Google and the like tell employees to take time off whenever they need it? To go ahead and work from Starbucks if you want? Isn’t work about the outcome, as opposed to simply being busy?
“Do this to programmers and watch them leave,” Naked Security’s Mark Stockley says.’


When you use a chat app, your raw voice data has to be sucked into the app so it can be encrypted and sent to the other end, and the other guy’s replies have to be decrypted and pushed out of the app into your headphones unencrypted so you can hear them. Same for secure browsing: the end-to-end encryption doesn’t cover what’s actually displayed on the screen for you to read (or else it would just be so much shredded cabbage).

So if you have low-level interception software on the same device where the unencrypted data gets typed in/recorded in the first place, or displayed/played back after receipt, then you almost certainly *can* eavesdrop. (In fact, many voice-call apps have a handy “record this call” feature, built right in.)


There’s also HTTPS content scanning (which will freak out any app that uses certificate pinning, but many don’t) which a lot of companies use simply for security purposes… but could go a lot further. Everything goes through those firewall proxies which then MITM the secure connection using a trusted certificate that’s been pushed out to all the computers; as an end user you don’t have a lot of control over what happens there.


The issue of how much surveillance a company should engage in is tricky. What information is important enough to justify looking at everything an employee does? A lot of questions and few workable answers. The only real, IMHO, solution is an employee’s honest work ethic and the employer’s trust. Of course we all know how this plays out. I expect my employer to protect himself/herself and I in turn leave my personal correspondence outside the workplace. My advice to employees it to keep it professional. Never use the work network for private affairs and if you are unhappy with your job and can’t resolve the problems to make the job more satisfying then find something else. Just don’t go looking on the employer’s time. Remember what I said about a good work ethic?

Thank you Miss Vaas for an insightful article.


We have some pretty strict “use of company resources” policies, and with good reason, insider threat. And unfortunately it is what caused such policies to be put into place. At the same time we balance it with free and open wifi for personal devices and use. On the domain – strong web filters restrict most non-work activity – we are paid to work, what you do on your time is your business.
No different than hiring someone to clean your house, if you found them sitting at your PC playing on facebook when they should be working, would you keep them?
So long as you know the rules, it’s your choice to “work” there.
*Before PCs the supervisor would be watching everyone. As work became tech, so did slackers, thieves and supervising.
It’s known that Insider threat, is greater than Outsider threat in IT. Just ask the NSA lol.
How far is to far? – when it invades your personal life (outside of the work place). Work is not life, it’s how we support it.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!